Puppet CodeManager - Cannot get it to work on https with certificate errors.

asked 2018-01-16 00:44:40 -0500

Romiko gravatar image

updated 2018-01-16 11:56:20 -0500

DarylW gravatar image

Hi,

I have Puppet Master installed and managed to configure the puppet web console to use our SSL Cert. So when I use the puppet web console I do not get any errors.

However. I am trying to use a webhook via Visual Studio Online. The webhook will call my endpoint service-url: "https://mycustomdomainname:8170/code-manager"

e.g. https://mycustomdomainname:8170/code-...

Basically I get an SSL certificate mismatch, so cannot do it. If I ignore SSL certificate checks. then it works.

e.g.

curl  -k -X POST "https://mycustomdomainname:8170/code-manager/v1/webhook?type=tfs-git&token=12345"
{"status":"OK"}
remove the -k and the error is:
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

For Puppet console this was easy to fix with: Class: puppet_enterprise::profile::console browser_ssl_cert browser_ssl_private_key

Does Code Manager have something similar?

I notice that the /etc/puppetlabs/puppetserver/conf.d/webserver.conf has the original puppet master certificate assigned to the rest url code manager.

Surely there must be an option to get code manager endpoint working with a External signed cert?

code-manager: {
    client-auth: "want"
    ssl-host: "0.0.0.0"
    ssl-port: 8170
    ssl-ca-cert: "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
    **ssl-cert: "/etc/puppetlabs/puppet/ssl/certs/puppet.pem"
    ssl-key: "/etc/puppetlabs/puppet/ssl/private_keys/puppet.pem"**
    ssl-crl-path: "/etc/puppetlabs/puppet/ssl/crl.pem"
    access-log-config: "/etc/puppetlabs/puppetserver/code-manager-request-logging.xml"
    ssl-protocols: [
        "TLSv1",
        "TLSv1.1",
        "TLSv1.2"
    ]
  }
edit retag flag offensive close merge delete